Ensure composer.lock is present, to allow for reproducible local-dev and CI testing

While trying out latest `main`, it became evident that CI is not really stable, in its current
state, because dependencies like `phpunit/phpunit`, `vimeo/psalm`, `phpstan/phpstan` and `squizlab/php_codesniffer`
keep shifting within the boundaries of `composer.json`.

In order to freeze them in place, `composer.lock` is introduced, so that they can be upgraded
individually, therefore preventing headaches when installing the project locally, for either
verifying a bug, or contributing to it.

This change is a bit of a shift from the previous approach, but should allow for better stability,
and better dependency upgrade/checking, so that @dependabot patches breaking CI can be identified
more easily.

.gitattributes

@@ -8,6 +8,7 @@
 /build/                     export-ignore
 /captainhook.json           export-ignore
 /CHANGELOG.md               export-ignore
+/composer.lock              export-ignore
 /codecov.yml                export-ignore
 /CODE_OF_CONDUCT.md         export-ignore
 /CONTRIBUTING.md            export-ignore

.gitignore

@@ -1,5 +1,4 @@
 /captainhook.config.json
-/composer.lock
 /phpcs.xml
 /phpunit.xml
 /vendor/